Westwoods Health Club (“The Club”) is part of Fettes Enterprises Ltd with registration number SC187460. The Club is a Data Controller for the purposes of Data Protection Law (the Data Protection Act 2018, the General Protection Regulation (EU) 2016/679 and any legislation that, in respect of the United Kingdom, replaces, or enacts into United Kingdom domestic law, the General Data Protection Union (EU) 2016/679, the proposed Regulation on Privacy and Electronic Communications or any other law relating to data protection), which means it determines how an individual’s personal data is processed and for what purposes.
Fettes Enterprises Limited aims to promote and provide an outlet for exercise, health and wellbeing, which it does by operating Westwoods Health Club located within the grounds of Fettes College, an independent boarding and day school. Some of the additional policies mentioned in this document relate to policies managed by Fettes College due to the nature of both organisations operating within the same grounds.
ABOUT THIS NOTICE
This Notice is intended to provide information about how the Club will use (or “process”) personal data about individuals including: its personnel, its current, past and prospective members, guests, sports hall users and participants of other club initiatives (such as Westwoods Superstars and Swim Stars) and customers of the café.
This information is provided in accordance with the rights of individuals under Data Protection Law to understand how their data is used. The Club’s personnel, members, prospective members and visitors are all encouraged to read this Privacy Notice and understand the Club’s obligations to its entire community.
This Privacy Notice also applies in addition to the Club’s other relevant notices and policies, including:
- any contract between the Club and its staff and members;
- the Club’s policy on taking, storing and using images;
- the Club’s policy on the use of CCTV (managed by Fettes College);
- the Club’s retention of records policy;
- the Club’s safeguarding and pastoral policies;
- the Club’s Health and Safety policy, including how concerns or incidents are recorded;
- the Club’s IT policies, including its Acceptable Use policy and Online Safety policy (managed by Fettes College)
WHOSE DATA WE COLLECT
We collect data relating to individuals who fall into one or more of the categories listed below. This list is not exhaustive and represents the current, former and prospective stages of each category in the list:
- Members and their guests
- Other guests (Including Jog Scotland and FCLC Group Leaders)
- Staff (Permanent, Contracted and Self-employed)
- Special activities participants (Swim Stars, Superstars, Holiday activity camps)
- Suppliers and contractors
PURPOSES FOR PROCESSING PERSONAL DATA
In order to carry out its ordinary duties to members, staff and contracted staff, the Club may process a wide range of personal data about individuals (including current, past and prospective staff, members, students or parents) as part of its daily operation.
Some of this activity the Club will need to carry out in order to fulfil its legal rights, duties or obligations – including those under a contract with its staff, members, guests and customers.
Other uses of personal data will be made in accordance with the Club’s legitimate interests, or the legitimate interests of another, provided that these are not outweighed by the impact on data subjects, and provided it does not involve special or sensitive types of data. Examples of such interests are included below under “Examples of how we might use your information”.
In addition, the Club may need to process special category personal data (concerning health, ethnicity, religion, biometric data or sexual life) or criminal records information (such as when carrying out PVG checks) in accordance with rights or duties imposed on it by law, including safeguarding and employment, or from time to time by explicit consent where required. These reasons may include:
- To provide members with the best services in line with their current health and to provide or seek appropriate medical care, and to take appropriate action in the event of an emergency, incident or accident, including by disclosing details of an individual’s health to medical professionals where it is in the individual’s interests to do so;
- To provide members with access to the technologies used within our gym equipment;
- In connection with employment of its staff, for example PVG checks, welfare or pension plans;
- For legal and regulatory purposes (for example child protection, diversity monitoring and health and safety) and to comply with its legal obligations and duties of care.
EXAMPLES OF HOW WE MIGHT USE YOUR INFORMATION
The below is a list of the Club’s processing activities that may fall within its, or a third party’s legitimate interest. We may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.
HOW WE MIGHT USE YOUR INFORMATION TO MANAGE YOUR CONTRACT WITH THE CLUB
- To provide access to health and wellbeing facilities offered by the Club;
- To safeguard students’ welfare and provide appropriate pastoral care;
- To process financial transactions to ensure the efficient and timely management of payment to use our facilities;
- To send updates to members about the Club’s activities that members can get involved in or any other relevant news about the Club;
- To market the Club to former members or prospective members where we have consent to do so;
- To facilitate participation at our additional activities such as Swim Stars, Westwoods Superstars, holiday activity camps and Jog Scotland
- For security purposes, including CCTV in accordance with the School’s CCTV policy;
- Where otherwise reasonably necessary for FTV’s purposes, including to obtain appropriate professional advice and insurance for Fettes Enterprises Ltd.;
- Invitations to events;
HOW WE MIGHT USE YOUR INFORMATION IF YOU ARE A PROSPECTIVE, EXISTING OR FORMER EMPLOYEE
- To manage the recruitment process
- Processing PVG application forms
- Paying salaries, pension contributions and tax
- For the purposes of management planning and forecasting, research and statistical analysis, including that imposed or provided for by law (such as diversity or gender pay gap analysis and taxation records);
- Managing leave, disciplinary actions, grievance procedures
- To provide a safe and secure working environment
What information we collect
We will only store relevant data that allows us to fulfil our purposes outlined above. Data is generally collected directly from individuals when they enter into a contract with the Club. Additional data is collected during an individual’s relationship with the Club.
Examples of the data we store include:
- Names, addresses, contact phone numbers, email addresses;
- Familial relationships;
- Bank details and financial transactions;
- Where appropriate, information about individuals’ health and contact details for their next of kin;
- Members’ club usage;
- Correspondence, attendance at meetings or events, meeting notes;
- References given or received by the Club about staff or prospective staff or information provided by previous employers and/or other professionals or organisations;
- Images and video footage of members (to identify member at check-in), images captured by the Club’s CCTV system (in accordance with the School’s policies on CCTV and Taking, Storing and Using Images);
- Car details (about those who use our car parking facilities);
- Information, such as CVs relating to past, present and prospective Club personnel;
- Higher education, profession, employment information;
- Affinity, engagement;
- Biometric data
- Health/medical data
- Criminal data
WHERE YOUR INFORMATION IS STORED
Data is stored both electronically and in hard copy format where necessary. There are strict access policies in place where only authorised personnel can access the information they require. Data storage locations may include:
- Centralised administration databases
- Shared internal hard drive
- Individual hard drives
- Personal laptops, phones and iPads – may contain temporary notes that will be transferred to a central location
- Filing cabinets
- Third parties (See below for more information on data that is shared with third parties)
HOW WE KEEP YOUR INFORMATION SECURE
All those who have access to, and are associated with the processing of personal data are legally obliged to respect the confidentiality of any data they need to access in order to carry out their work and are obliged to process data in accordance with our internal policies outlined in ‘About this Notice’.
HOW LONG WE KEEP YOUR DATA FOR
As per our internal Retention Policy, we will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
SHARING DATA WITH THIRD PARTIES
We may need to share some of your data with a third-party provider to fulfil our purposes. When we share data with a third party we will always ensure that we have the necessary contracts in place to ensure the security of your data. We will only share special category data, securely, with a third party if it is our legal obligation or in order to provide onsite medical care. Examples of third party processors may include:
- Administrative databases
- Email marketing providers
- Direct mail service providers
- Educational service (including online) providers
- Local authorities
- Pension providers
- IT services including cloud storage providers
- Appointed GP practice
- Consultancy organisations who may analyse our data
- Professional advisors
TRANSFER OF PERSONAL DATA OUTSIDE OF THE EEA
Restrictions of data leaving the EEA are in place to ensure that the level of data protection available to individuals within the EEA is not compromised.
Some of our processes may require us to transfer data outside of the EEA. Generally, this occurs when we use a third-party processor who have servers based outside of the EEA. In these instances, we will ensure that the appropriate safeguards in place to ensure an individual’s data protection rights are met.
GETTING IN TOUCH
If you would like to get in touch to update your information, amend your preferences, change the way we process your information or for any general data protection enquiries, you can do so by using the following means:
Post: Westwoods Health Club, 7 Westwoods, Edinburgh, EH4 1RA
Phone: +44 (0) 131 332 5777
If you feel your data has not been used in accordance with this policy, please notify us by using the contact details outlined above. We do hope that any matters of complaint may be resolved between the complainant and Fettes Enterprises Ltd, however, if you feel the need to leverage any complaint where there has been no satisfactory resolution in dealing directly with Fettes Enterprises Ltd, you may contact the ICO ico.org.uk/, who are the governing body for data protection information in the UK.
The rights under Data Protection Law belong to the individual to whom the data relates. For the purposes of delivering our obligations under the Club contract we will usually liaise with the parent and share child data with them relating to their child’s progress and behaviour, Club activities and the general wellbeing of their child.
Where a child seeks to raise concerns confidentially with a member of staff and expressly withholds their agreement to their personal data being disclosed to their parents, we may be under an obligation to maintain confidentiality unless, in our opinion, there is a good reason to do otherwise; for example, where the Club believes disclosure will be in the best interests of any child or is required by law.
HOW TO FIND OUT IF WE ARE PROCESSING YOUR DATA AND REQUEST A COPY OF YOUR INFORMATION
You have the right to ask if your data is being processed by us and the right to ask for a copy of the data related to you that we are processing. A person with parental responsibility will generally be entitled to make a subject access request on behalf of a child, but the information in question is always considered to belong to the individual to whom the data relates. In Scotland, the law presumes that a child of 12 years or more has the capacity to exercise their rights under the Data Protection Law. A child of any age may ask a parent or other representative to make a subject access request on their behalf. Moreover (if of sufficient maturity) their consent or authority may need to be sought by the parent making such a request. Requests for data that are excessive or repetitive will be subject to a fee.
HOW TO HAVE YOUR DATA AMENDED OR DELETED
You have the right to have inaccurate data rectified or completed (if it is incomplete), or have your data erased. Some exceptions may apply where we have another lawful reason to continue to process your data.
HOW TO STOP US USING YOUR DATA FOR CERTAIN PURPOSES
You have the right to object to certain processes, such as fundraising activities, as long as it does not interfere with contractual or lawful obligations that we still may need to fulfil.
HOW TO TRANSFER DATA
You have the right to request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
To act upon any of your rights outlined above please contact us using the details provided. Requests may be made verbally or in writing. We will aim to respond to any such requests within one month of receipt. We may need to take steps to confirm the identity of the requestor depending on the method in which the request was made. Some requests (or part thereof) may be refused and in such cases, we will respond outlining the reason for refusal.